Three Steps to Safer Passwords

Passwords. Everybody has them, everybody hates them. Stolen passwords are the keys to the kingdom, forgotten passwords are the bane of every support desk worker's life. But they're the simplest way to protect a digital asset, requiring only a keyboard and a human brain, so they're here to stay. Microsoft researchers discovered in 2007 that the average Web user has about 25 password-protected accounts, and uses about 6.5 different passwords. The Web could not function as it does today without them.

Passwords are a hotly sought commodity in the criminal underworld. The rapid success of phishing attacks over the last few years is due directly to the fact that passwords are often the only protection standing between an attacker and something of value that can be stolen, such as the contents of a person's bank account. With that in mind, you'd expect Web users to routinely create the strongest passwords possible. Sadly, but perhaps not surprisingly, this does not appear to be the case. Studies of large sets of passwords recovered from phishers have found that remarkably few people use recommended practices for generating passwords.

It's universally acknowledged best practice to use a mixture of upper and lower-case letters, numerals and other symbols to create the most secure passwords, but only 6% of users do this, according to one study of 10,000 leaked Hotmail passwords last year. The most-common passwords, used by 42% of victims, were comprised entirely of lower-case letters. Only 30% of compromised users had passwords containing a mixture of letters and numbers. (The flaw in such studies, of course, is that they are empirically only capable of evaluating password trends among that subset of users who have already fallen for a phishing attack and are therefore probably not the most security-conscious people in the world. But every system administrator has more than a few of those on her network.)

Easy to remember, hard to guess

The golden rule for passwords is to strike the right balance between memorability and guessability. Passwords should be easy for defenders to remember but difficult for attackers to guess. Too difficult to remember and users will compromise their own security by writing it down, too easy to guess and the password is already as good as compromised.

Enforcing overly long, overly complicated strings that have no semantic value is a losing strategy. Tell a user that the password they have to use is SdD83yw%rGh4$gtY and the first thing they will do is write it down on a Post-It and stick it to their computer, defeating the object of having a strong password in the first place. Now, anybody with access to the user's work-space has access to all of their sensitive data and can hijack whatever functionality the password was supposed to protect. Similarly, I believe that forcing users to keep changing their passwords every month or so with another indecipherable string like the one above will inevitably reduce password quality or lead to the Post-It problem.

Conversely, if a password has too much meaning, it becomes too easy to guess. Banks have warned customers for years to avoid sequential or repetitious strings such as 1234 or 1111 in their PINs, and the same is true online. It takes only a phone book and a passing familiarity with a victim's family to make whole classes of passwords trivially easy to guess. Using the name of a spouse, child or other relative, or the name of the street a user lives on, for example, should be discouraged, as should other easily found information, such as the user's date of birth. In the age of Facebook, finding out details about you is far easier than ever before.

That scenario of course assumes a targeted attack against a known victim. Another scenario, which is likely more commonplace, involves a brute force attack, in which an attacker attempts to compromise an account by very quickly trying as many combinations of characters as possible until he hits upon a correct password. Here, users can mitigate the risk of compromise by picking long, complicated strings. When passwords increase in length by a single character, or begin to introduce new classes of characters, the number of attempts required to correctly guess the string increases exponentially.

Creating memorable passwords

Due to the risk of of "dictionary attacks", users are often advised to steer clear of dictionary words. If the average English-speaker's vocabulary is about 10,000 words, a dictionary attack could be successful in a matter of seconds. The complexity of the attack would rise considerably if the correct password used a mixture of upper and lower case letters, and simply replacing one or more letters with numbers or symbols – maybe using a 4 instead of an A or a $ instead of an S – makes brute force attacks even more unlikely to succeed. Dictionary words can be acceptable passwords, if such precautions are taken.

Longer passwords offer better protection against brute force attacks and do not necessarily always have to be complex. If the protected system is capable of storing large passwords, then a short quotation or phrase can be both easily remembered and difficult to guess. A Shakespeare fan could choose OncemoreUntothebreachDearfriends for a hard-to-forget 32 characters; if you like Monty Python, the 34-character nobodyexpectstheSpanishInquisition is trivially called to mind. If the system requires a shorter string, memorable phrases can instead be used as mnemonics to generate acronyms. Sprinkle in a few upper-case letters and transpose a few letters with numbers or symbols for extra security.

Another useful method is to use mnemonic "triggers" to help remember your password. These could be based on locations or events, for example. If you create or change a password in a Starbucks over your morning coffee, you might pick frappuccino, or, better, Fr4ppu((1n0. If an attacker subsequently targets you, there's no way they could know the wheres and whys of your password choice, but you should find it quite easy to mentally picture the location, triggering the mnemonic. Humans are generally much better at remembering images rather than words, so mentally linking the two can make an effective strategy.

Most Web users have yet to find the right balance in their choice of passwords, with the majority still erring towards simplicity over security. Use these steps to reduce guessability while maintaining memorability. These steps are remarkably easy to learn, and should be part of every organization's security education policy.

Ram Mohan is the Executive Vice President and Chief Technology Officer at Afilias, a global provider of Internet infrastructure services including domain name registry and DNS solutions. Ram also serves as the Security & Stability Advisory Committee's liaison to ICANN’s Board of Directors and has helped direct and write numerous policies effecting domain name registration and DNS security.